large organization nameservers sending icmp packets to dns servers.
Sean Donelan
sean at donelan.com
Mon Aug 6 20:56:43 UTC 2007
On Mon, 6 Aug 2007, Drew Weaver wrote:
> Is it a fairly normal practice for large companies such as Yahoo! And
> Mozilla to send icmp/ping packets to DNS servers? If so, why? And a
> related question would be from a service provider standpoint is there
> any reason to deny ICMP/PING packets to name servers within your
> organization?
They use ICMP/Echo Request to calculate a rough surrogate latency estimate
for potential users of that caching DNS server so they can return
different DNS answers depending on your network topology. Yes its an
approximation, and can be wrong. Some networks even re-route ICMP/Echo to
a completely different box which just responsed to pings; so it may not
even go to the same place. Given all those caveats, many times its still
the best guess you can make.
ICMP/ECHO is a separate protocol which is easy to filter if you want to,
without affecting "normal" TCP/UDP/etc packets. But then expect to get
"worse" default DNS answers from those same sites attempting to optimize
their DNS answers.
It would be cool if people ran NTP port 123 on their DNS servers,
and then we could get extreme measurements. But then I'm sure someone
would point out 62 flaws with that. In the end, its up to each
network operator to make its own decision. If your DNS servers aren't
being negatively impacted, and it helps your users get better answers,
you might keep it. If the answers are reversed, you might drop them.
My IDS is badly tuned.... Well maybe there is a fix for that.
More information about the NANOG
mailing list